Why do Smarsheet webhooks force developers to create webhooks only in a production environment?

In the docs, the following is stated:

  • Smartsheet webhooks do not support callbacks to servers using self-signed certificates. The callback server must be using a signed certificate from a certificate authority.
  • The callbackURL cannot be a private IP address.
  • The callbackURL must use one of the following ports: 443 (default for HTTPS), 8000, 8008, 8080, or 8443.

In other words, you cannot create a webhook in development or testing environments. It seems like there should be a way to do that because creating the hook in production would be horribly inconvenient.

Best Answer

Answers

  • Hey Cameron,

    Since web hooks connects to your host over the public Internet, we do require that the host present a certificate issued by a well-known certificate authority. This helps ensure that the web hook is sending data to the right host and that the data is encrypted. While this is more secure, it doesn’t prevent you from setting up web hooks to pre-production environments. It just means that the pre-production environments need to use trusted certificates too. I know some customers using web hooks are using certificates from Let's Encrypt which are free and they have some handy tools to make provisioning certificates easy.

    Hope this helps!

    Scott Willeke

    Director of Product Management

    Smartsheet

  • Hey Scott, thanks for the response.

    So what concerns me is bullet point #2 where it says "The callbackURL cannot be a private IP address". Private IP addresses are used by all applications that run in your development environment. If private IP addresses are the only URL's that you can use in development environment, but sourcetree doesn't allow private IP addresses, I don't see how this will work.

  • Cameron:

    As an Internet-based application, our web hooks only connect to hosts over the public Internet. A private IP address cannot be exposed to the public Internet. So using a private IP would be a non-starter for other reasons (e.g. if we allowed private IP addresses it would essentially be connecting to private hosts in our own internal network).

    If I'm missing something here that would be better resolved over email, feel free to contact our support team at https://help.smartsheet.com/contact . Although probably not your fastest option, as an alternative you can schedule time with me directly and personally walk through your scenario with you. If you choose to do so, please use the following link to schedule time with me: https://calendly.com/activescott


    Scott Willeke

    Director of Product Management

    Smartsheet